2266131 – [CLOSED] ffmpeg: Multiple vulnerabilities [fedora-all]

Bug 2266131 - [CLOSED] ffmpeg: Multiple vulnerabilities [fedora-all]

Summary: [CLOSED] ffmpeg: Multiple vulnerabilities [fedora-all]

Keywords:
Status:	CLOSED COMPLETED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ffmpeg
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dominik 'Rathann' Mierzejewski
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-26 18:24 UTC by Rohit Keshri
Modified:	2024-11-27 09:00 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-10 15:46:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-02-26 18:24:51 UTC

More information about this security flaw is available in the following bug:

http://bugzilla.redhat.com/show_bug.cgi?id=2253172

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Rohit Keshri 2024-02-26 18:24:55 UTC

Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug.  This will ensure that all associated bugs get updated
when new packages are pushed to stable.

=====

# bugfix, security, enhancement, newpackage (required)
type=security

# low, medium, high, urgent (required)
severity=medium

# testing, stable
request=testing

# Bug numbers: 1234,9876
bugs=2253172,2266131

# Description of your update
notes=Security fix for [PUT CVEs HERE]

# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3

# Automatically close bugs when this marked as stable
close_bugs=True

# Suggest that users restart after update
suggest_reboot=False

======

Additionally, you may opt to use the bodhi web interface to submit updates:

https://bodhi.fedoraproject.org/updates/new

Comment 2 Dominik 'Rathann' Mierzejewski 2024-05-10 15:46:36 UTC

FWIW, I can't reproduce the first one (CVE-2023-6601: HLS Unsafe File Extension Bypass), even with 6.0.1 on F38. I.e. the base64-encoded text doesn't get parsed and displayed.
...
[hls @ 0x5579e85c4080] Opening 'data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8' for reading
[xbin @ 0x5579e85c7600] Packet corrupt (stream = 0, dts = NOPTS).
[hls @ 0x5579e85c4080] Packet corrupt (stream = 0, dts = 0).
...

Second one (CVE-2023-6602: HLS Force TTY Demuxer) is reproducible with 6.0.1 (F38), but not with 6.1 (F39+).

Third one (CVE-2023-6603: HLS EXT-X-MAP Null Dereference) yields this with 6.0.1 (F38):
input.mp4: Cannot allocate memory
but no crash.

Fourth one (CVE-2023-6604: HLS XBIN Demuxer DoS Amplification) is not reproducible with 6.0.1 and later.

Fifth one (CVE-2023-6605: DASH Playlist SSRF) is reproducible with 6.0.1 but not with 6.1 (F39+).

So, given that F38 is nearly EOL and given that this is filed against F39, I'm closing this as CURRENTRELEASE.

Comment 3 Dominik 'Rathann' Mierzejewski 2024-05-10 15:59:45 UTC

I opened a separate bug for CVE-2023-6605 (bug 2280021), because that one is still valid for 6.1.

Comment 4 Michal Findra 2024-11-27 09:00:10 UTC

Closing this tracker -> incorrect tracker.

Note You need to log in before you can comment on or make changes to this bug.